Fraud Campaign Targets Accounts Payable Contacts at Fortune 500 Firms

A new business email compromise (BEC) campaign is targeting accounts payable personnel at Fortune 500 companies in an attempt to trick victims into initiating fraudulent wire transactions to attacker-controlled accounts, IBM warns.

As part of BEC scams, attackers take over or impersonate a trusted user’s email account to target other companies and divert funds to their accounts. Based on phishing and social engineering, such attacks are relatively simple to perform and are attractive to cybercriminals, IBM notes.

As part of the recently observed campaign, attackers used well-crafted social engineering tactics and phishing emails to obtain legitimate credentials from their targets. The emails appeared to come from known contacts and mimicked previous conversations, while in some cases the attackers managed to insert themselves into ongoing conversations between business users.

Posing as the known contact from a vendor or associated company, the attackers then requested that payments be sent to a new bank account number or beneficiary.

By creating mail filters, the attackers ensured they would communicate only with the victim. In some cases, they also found and filled out necessary forms or spoofed supervisor emails to provide victim with additional approval.

The group behind the attacks, IBM says,likely operates out of Nigeria, given the spoofed sender email addresses and IP addresses that were used. However, compromised servers and proxies are often used to hide the attackers’ location.

The actors created spoofed DocuSign login pages on over 100 compromised websites in various geographic locations. Targeted companies were identified in the retail, healthcare, financial and professional services industries, including Fortune 500 companies.

To harvest business user credentials, the attackers sent a mass phishing email to the user’s internal and external contacts, often to several hundreds of them. The message included a link supposedly leading to a business document, but instead redirecting the victim to a fraudulent “DocuSign” portal requesting authentication for download.

Next, the attackers filtered out the stolen credentials and only used those from companies that only require a username and password when employees access their email accounts.

“The attackers specifically targeted personnel involved in the organization’s accounts payable departments to ensure that the victim had access to the company’s bank accounts,” IBM notes.

Following a reconnaissance phase, the attackers engaged with the targeted employee and impersonated vendors or associated companies with established relations to the client. The attackers likely conducted extensive research on the target’s organizational structure and engaged into operations such as impersonating victims, finding and spoofing internal documents, and setting up multiple domains and emails to pose as higher-level authorities.

The attackers set up domains that resembled those of the target company’s vendors, either using a hard-to-identify typo change or registering the vendor’s name with a different top-level domain (TLD). They used these domain names to set up email accounts purporting to belong to known employees and used the accounts to send emails directly to the targets.

“Finally, although the attackers made some grammatical and colloquial mistakes, their English skills were proficient and the few mistakes they made could be easily overlooked by the target. The attackers created a false sense of reality around the target and imparted a sense of urgency to pay, resulting in successful scams involving millions of dollars,” IBM explains.

The attackers either created email rules or auto-deleted all emails delivered from within the user’s company to prevent victims from noticing fraudulent correspondence or unusual messages in their inbox. They also auto-forwarded email responses to different addresses to read them without logging into the compromised accounts.

The security researchers say the attackers had “more financial success using shell corporations and corresponding bank accounts based in Hong Kong or China rather than using consumer bank accounts, in which cases financial institutions were more likely to delay or block large or unusual transactions.”

The shell corporations involved in the BEC scams were registered within the past year, some on the same month payments were requested to the account. Wire transfers associated with BEC scams usually end up in accounts at banks located in China and Hong Kong, IBM notes.